Silicon Valley thinks it has a massive moat. Executives at major artificial intelligence labs brag about their multi-billion-dollar clusters and proprietary datasets. They genuinely believe that the sheer cost of training a frontier model will keep foreign adversaries locked out of the top tier.
They're completely wrong.
While Washington debates chip export bans and data center security, Chinese tech firms have quietly found an elegant, dirt-cheap backdoor. It's called AI distillation. Instead of spending hundreds of millions of dollars to train a model from scratch, engineers are simply feeding the outputs of top-tier American models straight into smaller, cheaper systems. It's the ultimate shortcut.
The strategy works remarkably well. In fact, it works so well that the White House issued National Security and Technology Memorandum 4 (NSTM-4) to crack down on what it called industrial-scale campaigns to distill U.S. frontier systems. This isn't a hypothetical threat anymore. It's happening right now at a scale that should terrify anyone who cares about American technological leadership.
The Illusion of the Compute Moat
For years, the consensus was simple. If you have the most graphics processing units (GPUs) and the biggest pile of cash, you win. This logic justified massive infrastructure investments in the United States. It also drove the logic behind export controls designed to keep advanced chips out of China.
Distillation flips that entire thesis on its head.
To understand why, you have to understand what distillation actually does. In a typical engineering environment, distillation is completely legitimate. A company takes a massive, expensive model—the teacher—and uses its outputs to train a much smaller, faster model—the student. The student model gets incredibly smart without needing the massive compute budget required to train the original. Google did this with its Gemini Flash series. It's standard practice.
But when a geopolitical rival does it to your proprietary systems without permission, it becomes a massive security vulnerability.
Chinese labs don't need access to the underlying code or the model weights. They don't need to hack into a server room in San Francisco. They just need an API key and a swarm of automated accounts. By systematically prompting American models and capturing the responses, they can extract the core reasoning capabilities, the data-cleaning methodologies, and even the internal reward models that took American firms years to develop.
The cost savings are staggering. Training a frontier model from scratch can cost upwards of $100 million in electricity and compute. Distilling those same capabilities through an API costs a tiny fraction of that amount. The expensive compute bottleneck disappears.
Inside the Massive Alibaba and Anthropic Escalation
The sheer scale of this operation came to light in a major way. Anthropic publicly accused Alibaba and its Qwen AI lab of running the largest known AI distillation campaign in history.
The numbers are wild.
Between April and June, operators linked to Alibaba allegedly used nearly 25,000 fake accounts to generate a staggering 28.8 million interactions with Claude. They weren't just chatting. They were systematically mining the model. They targeted specific capabilities, including advanced reasoning across complex tasks and rubric-based grading systems.
"These coordinated campaigns systematically extract capabilities from American AI models, exploiting American expertise and innovation." - White House NSTM-4 Statement
The retaliation was swift. Anthropic started tracking system time zones, proxy servers, and network characteristics to block Chinese users. They even baked experimental tracking features into tools like Claude Code to detect when Chinese infrastructure was hitting their systems.
Alibaba reacted by ordering its employees to stop using Claude Code entirely, directing them instead to use an internal tool called Qoder. The tech giant claimed the American tool posed an organizational security risk. It's a classic case of geopolitical mirror-imaging.
This wasn't an isolated incident either. Earlier, Anthropic caught other Chinese labs generating over 16 million exchanges through 24,000 fraudulent accounts. OpenAI made similar accusations against DeepSeek, alleging that the firm used ChatGPT outputs to train its R1 reasoning model.
Why Washington Is Losing This Whack-A-Mole Game
The U.S. government is trying to fight a software problem with hardware weapons. Export controls on advanced chips like Nvidia's H100s or B200s make for great headlines, but they don't stop distillation.
A Chinese lab with limited access to top-tier hardware can still take an excellent open-source base model, like Meta's Llama series, and use distilled data from Claude or GPT-4 to fine-tune it. They don't need a massive supercomputer cluster to do that. The heavy lifting of discovering how an AI should reason has already been done and paid for by American venture capital.
There are four primary ways these campaigns extract value from U.S. systems.
- Synthetic Data Generation: Internet data is running dry. High-quality human data is locked behind paywalls. Chinese labs prompt American models to generate massive volumes of high-quality synthetic text to train their own systems.
- Chain-of-Thought Extraction: Frontier models don't just give answers; they think out loud step-by-step. Chinese developers use prompt injections to trick American systems into revealing these hidden internal reasoning steps, then feed those exact thought processes into their student models.
- Data Cleaning: Raw data is incredibly messy. Cleaning it requires immense computing power. Chinese developers use American APIs to filter, categorize, and clean their own messy datasets for free.
- Reward Modeling: Training an AI to behave well requires a reward model based on human preferences. Labs use American outputs to build their own reward systems, skipping the expensive process of hiring thousands of human evaluators.
Current intellectual property laws are completely useless here. Copyright and trade secret laws weren't built for a world where a competitor doesn't copy your code, but instead learns from the behavior of your software. If a human reads a textbook and learns a concept, that isn't theft. Distillation operates in a terrifying legal gray area that makes traditional lawsuits nearly impossible.
The Benchmark Trap
If you look at public AI leaderboards, Chinese models frequently rank near the top. Many Western analysts look at these scores and panic, thinking China has completely closed the gap.
That's an illusion caused by distillation.
When you distill a model, you can teach it to perform incredibly well on specific, standardized tests. You're essentially teaching the model the answers to the exam. A distilled model might score a 90% on a math benchmark, matching the teacher model perfectly.
But change the wording of the questions slightly, or test it on a completely novel problem, and the distilled model often falls apart. It lacks the deep, generalized capability of the system it copied. The foundation is fragile.
Even worse, these distilled models purposefully strip out the security guardrails built into Western AI. American labs spend millions of dollars ensuring their models won't help users build biological weapons or launch cyberattacks. When a foreign lab distills those capabilities, they can easily bypass those safety protocols. You end up with a highly capable reasoning engine that has absolutely no moral or operational constraints.
How American AI Labs Can Protect Themselves
Stopping this requires a complete shift in defensive strategy. Cloud firewalls and basic API rate-limiting are no longer enough. Labs have to start treating their model outputs as proprietary intellectual property that requires active defense.
First, labs must hide the internal chain-of-thought data entirely. If a model reveals its step-by-step reasoning path to the end-user via an API, it's begging to be distilled. Obfuscating or completely stripping these reasoning tokens from the public output makes it infinitely harder for an attacking model to learn how the teacher arrived at an answer.
Second, labs need to deploy advanced behavioral analytics on their APIs. A user who asks 500 slightly different variations of a highly technical question every hour isn't a human researcher. They're a scraping bot running a distillation campaign. Identifying these subtle, industrial-scale prompting patterns through real-time telemetry is the only way to kill the accounts before they drain millions of tokens.
Finally, the industry needs to accept that static models are dead assets. If yesterday's model can be easily distilled, the only true defense is continuous, rapid improvement. A competitor can copy your current capabilities, but if you ship a significantly smarter version three months later, their distilled student model is instantly outdated. The speed of iteration is the only real moat left.